I'm not really worried about eavesdropping on my data (temp and humidity every 2 hours). It is being posted to a PHP script on my site, which does not use any database functionality either.
But I would not want my device to be hijacked and participate in DDoS attacks....
I have seen that Expressif released a vulnerability fix for WiFi VPA2 authentication. Apparently it was added into library 2.4.0 and I am running 2.4.1, so I might be protected from that at least.